Archive for March, 2010


TIME: To Battle Computer Hackers, the Pentagon Trains Its Own

Thursday, Mar. 18, 2010

After years of building firewalls and other defenses against relentless hacker attacks, the Pentagon is going over to the dark side of computer warfare. Only ethically, of course. The Defense Department, like most large organizations, has recognized that no wall is high enough to keep out skilled and determined hackers for keeps. Instead, it has decided that in order to anticipate and thwart those attacks, it needs to know what the hackers know.”More than 100 foreign intelligence organizations are trying to hack into U.S. systems,” Deputy Defense Secretary William Lynn warned last month. “Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.” So the Pentagon recently modified its regulations to allow military computer experts to be trained in computer hacking, gaining designation as “certified ethical hackers.” They’ll join more than 20,000 such good-guy hackers around the world who have earned that recognition since 2003 from the private International Council of E-Commerce Consultants (also known as the EC-Council).”We are creating cyber-bodyguards,” says Sanjay Basivi, president of the council. “We’re not creating combat people.” But as the world becomes increasingly interconnected via the Internet, the stakes have become too high to rely on static defenses alone to protect the immense flows of vital information that operate the world’s financial, medical, governmental and infrastructure systems. “The bad guys already have the hacking technologies,” Bavisi says. “We can say, ‘Tough luck, the bad guys play by different rules and you can’t do anything about it, so just go lock your doors.’ Or we can tell the good guys, ‘We will arm you with the same knowledge as the bad guys, because to defeat the hacker you need to be able to think like one.'”Basivi and the Pentagon are sensitive to the possibility that the tactics taught could be used for other purposes. “We’re not training Department of Defense guys to become hackers and start hacking into China or any other countries,” he says. Week-long courses will train them in 150 different hacking techniques and technologies, ranging from viruses, worms, sniffers and phishing to cyber warfare. The cost of the course ranges from $450 to $2,500 depending on the training involved.Pentagon personnel “are not learning to hack,” insists Air Force Lieut. Col. Eric Butterbaugh. While the EC-Council calls it “Certified Ethical Hacker” training, the U.S. military also calls it “penetration testing training” or “red-teaming.” These are proven military techniques that have been used for decades to hone war-fighting skills. The Air Force and Navy, for example, maintain “aggressor squadrons” of F-5 and MiG warplanes to give U.S. military pilots practice against the tactics of potential foes. And the Army’s National Training Center at Fort Irwin, Calif., has long boasted a highly-trained “op-for” — opposition force — that regular U.S. Army units engage in realistic war games.The program will be no cure-all for the Pentagon, whose networks are hacked hundreds of times a day. Adriel Desautels, the chief technology officer at Netragard LLC., a Massachusetts-based anti-hacking outfit, says that while “it’s better than nothing,” there are simply too many vulnerabilities to protect the Pentagon’s estimated 10 million computers. Desautels likens it to 1,000 Dutch boys trying to stop water from flowing through a dike springing millions of leaks. “The threat is defined by the real black hats, and it’s impossible to know what the black hats are researching,” he says. “The number of vulnerabilities far exceeds what any white hats are going to discover.”

Both Butterbaugh and Bavisi say there are no concerns that military personnel trained as hackers might go rogue. “Computer network defense service providers,” Butterbaugh says, “are vetted and have security clearances.” Not only that, adds Bavisi: those trained as ethical hackers have to sign a legally binding pledge that they will not engage in malicious hacking. “So far,” he says, “we haven’t had a single case where someone became a real hacker.”


EC-Council Highlights the Current Trends and Practices in Software Assurance at the Department of Homeland Security 2010 Software Assurance Forum

Virginia, March 10, 2010 – Jay Bavisi, LLB, co-founder and president of EC-Council, recently presented his organization’s findings on the current software assurance environment – both problems and opportunities – at the 12th Semi-Annual Software Assurance Forum.

Bavisi shared the panel with Steve Lipner, Microsoft’s senior director of security engineering strategy, and Dr. Richard H.L. Marshall, Department of Homeland Security, director of global cyber security management. The panel discussed and identified gaps and opportunities in the current software assurance landscape and debated on the reliability of various knowledge resources being developed and made available by leading organizations and governments.

“Better software assurance is vital to U.S. cyber security as well as our global digital society,” Bavisi said. “By hardening software in advance, we can reduce the ‘vulnerability gap’ that occurs between a known security flaw and the release of a patch, thus improving e-commerce, government security, and consuactionable cyber security information to the public. US-CERT also providesmer confidence in the digital universe. EC-Council plays an active role in helping the information security community seek ways to reduce software vulnerabilities and minimize exploitation – and we regularly make available our diagnostic expertise to software developers and governments in order to analyze these systems for exploitable weaknesses.”

“Software development needs to be informed by incident response; it needs threat modeling and application penetrating testing,” said Joe Jarzombek, PMP, CSSLP, director of the Software Assurance Forum. “Secure coding is needed to avoid exploitable weaknesses being introduced.”

The March 9-12 Software Assurance Forum was co-sponsored by organizations in the Department of Homeland Security (DHS), Department of Defense (DoD) and the National Institute for Standards & Technology (NIST). The forum was attended by various members of U.S. Department of Homeland Security, Department of Defence, US CERT and representatives from leading industry software manufacturers as well as from academia. The Software Assurance Forum aims to encourage software developers to be pro-active in raising overall software security & quality during inception instead of relying on reactionary approaches such as application of patches after software vulnerabilities are found.

For more information about the Software Assurance Forum, visit: https://buildsecurityin.us-cert.gov/swa/index.html

About EC-Council
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 60,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS).

EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences. The global organization is headquartered in Albuquerque, New Mexico.

For more information about EC-Council, visit the website: www.eccouncil.org

About DHS
The United States Department of Homeland Security (DHS) is a Cabinet department of the United States federal government with the primary responsibilities of protecting the territory of the U.S. from threats ranging from cybersecurity analyst to chemical facility inspector. DHS upholds aviation and border security as well as responding to natural disasters.

About US-Cert
US-CERT is charged with providing response support and defence against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners. It interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.

About Software Assurance Forum
The key objective of the Software Assurance Forum is to shift the security paradigm from patch management to software assurance. This shift is designed to encourage software developers to raise overall software quality and security from the start, rather than relying on applying patches to systems after vulnerabilities are discovered.

The intent of this Forum is to continue to bring together members of government, industry, and academia with vested interests in software assurance to discuss and promote integrity, security, and reliability in software. Progress updates on relevant programs and initiatives will also be presented. If you are developing practical solutions to problems relating to examining alternatives to mitigate security risks attributable to software that affect both government and industry, you will benefit in attending the Software Assurance Forum.


Sanjay Bavisi Explains the Importance of Ethical Hacking in Cyber Defense

Jay Bavisi, President of EC-Council explains what ethical hacking is all about and the importance it plays in cyber defense.

Click Here…


The Naval Post Graduate School (NPS) Joins the EC-Council Authorized Academic Training Center Program

Albuquerque January 1, 2010 – Premier US Naval (and other arms of the United States Department of Defense, DoD) academic institution adopts EC-Council Certified Ethical Hacker certification to continue in their mission to provide relevant and unique advanced education and research programs that increases the combat effectiveness of the United States and Allied Forces.

“We are proud to welcome the Naval Post Graduate School to our family of EC-Council Authorized Academic Training centers. NPS joins other current US military training groups such as the Air Force Information Operations Center (AFIOC) and the 262 Warfare Squadron in delivering the Certified Ethical Hacker training curriculum,” said Eric Lopez, Director of Education for EC Council. Mr. Lopez also said, “We believe that the NPS will be instrumental in helping US government agencies close the skills gap required to assure that they stay ahead of the hackers.”

“The Naval Postgraduate School is honored to partner with EC-Council. The NPS mission of education, communication, and providing internationally accredited professional standards was integral in our decision to utilize their curriculum and certifications,” said Scott Cote, NPS Senior Lecturer/Computer Science Dept.

Mr. Cote also went on to say, “Now, more than ever, the Department of Defense must remain vigilant in the cyber arena and our partnership with EC-Council enables us to educate our military leaders in today’s cyber threats; teaching them the methodologies, motives, and means hackers and cyber terrorists may use against us. With their assistance, we stand more ready today than ever before to protect our nation’s cyber infrastructures.

About EC-Council
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and security skills. EC Council is the owner and developer of the world-famous E-Council Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (C|HFI),
Certified Security Analyst (ECSA), License Penetration Tester (LPT) programs, and various others offered in over 60 countries around the globe. These certifications are recognized worldwide and have received endorsements from various government agencies including the US Federal Government via the Montgomery
GI Bill, and the US Government National Security Agency (NSA) and the Committee on National Security Systems (CNSS) certifying EC-Council’s Certified Ethical Hacking (CEH), Network Security Administrator
(ENSA), Computer Hacking Forensics Investigator (CHFI), Disaster Recovery Professional (EDRP),
Certified Security Analyst (E|CSA) and Licensed Penetration Tester (LPT) certification program for meeting the 4011,
4012, 4013A, 4014, 4015 and 4016 training standards for information security professionals. For more information about EC-Council, please visit http://www.eccouncil.org

About the Naval Post Graduate School (NPS)
The Naval Postgraduate School is an academic institution whose emphasis is on study and research programs relevant to the Navy’s interests, as well as to the interests of other arms of the Department of Defense. The programs are designed to accommodate the unique requirements of the military.

Nearly 1,500 students attend the Naval Postgraduate School. The student body consists of officers from the five U.S. uniformed services, officers from approximately 30 other countries and a small number of civilian employees. Selection of officers for fully funded graduate education is based upon outstanding professional performance as an officer, promotion potential and a strong academic background.

For more information visit http://www.nps.edu or call (831) 656-2023


KBU’s computing course promises good prospects

Feb 7, 2010

DOES hacking mean committing a crime? Not necessarily according to IT Security specialist, EC Council Asia Pacific.

The leading IT Security certification body in collaborations with KBU’s School of Engineering and Computing recently held a talk to shed some light on computer security and ethical hacking concepts.

The talk changed the perception of many as most people were under the impression that the terms hacking and hackers usually bring about some negative connotations.

During the talk, KBU students discovered that in the computing community, being branded as hackers could be complimentary in nature, depending on the context.

More often than not, the primary meaning of the term refers to someone who is considered as brilliant programmer or technical expert.

During the much-awaited event, students were also given the opportunity to watch the live demo on ethical hacking which was demonstrated by the EC Council presenters.

EC Council offers both business and technical training needed to build successful e-businesses.

KBU School of Engineering and Computing deputy head Dr Christine Lee said there was a huge turnout at the event as students were anxious to learn about ethical hacking and ways and means of practicing it.

She said the lecture theatre was packed with not only students from the School of Engineering and Computing but also those from School of Business, Hospitality and Tourism Management and School of Design.

 


United States Department of Defense Embraces Hacker Certification to Protect U.S. Interests

ALBUQUERQUE NM, March 1, 2010 – EC-Council announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification as a new baseline skills certification option for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is a recognized certification for the DoD’s computer network defense Service Providers (CND-SP’s), a specialized personnel classification within the United States Department of Defense’s information assurance workforce.

The Certified Ethical Hacker recognition falls under the auspices of DoD Directive 8570 Information Assurance Workforce Improvement Program. Directive 8570 provides clear guidance to information assurance training, certification and workforce management across all affected components of the DoD.

The CND-SP groups protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

With this directive, military service, contractors, and foreign employees across all job descriptions must show 100-percent compliance, CEH being one option to achieve and maintain compliance. This shows the DoD’s focus on increasing training and preparation of the U.S. military workforce in the Computer Network Defense Service Provider category.

The Certified Ethical Hacker qualification tests the certification holder’s knowledge in the mindset, tools and techniques of a hacker, fortifying it’s certification tag line: “To beat a hacker, you must think like one.”

“CEH has been selected due to the immense technical and tactical nature of the certification,” said Jay Bavisi, co-founder and president of EC-Council. “It is one of the most technically advanced certifications on the directive for CND-SP professionals. In fact, it is the only certification approved across four out of the five categories to prepare the CNDSP teams. While other policy-based programs add value, CEH prepares the U.S. CND-SP’s to combat hackers in real time, defending U.S. interests globally.”

Bavisi added: “We have been researching this space for quite some time and with this directive from the DoD, there has never been a better time for us to beat the hackers at their own game. We are racing to research complex hacker techniques and in the next release of our CEH program, we hope to showcase in over 150 modules, detailed and extremely complex attack and countermeasures that will help raise the level of knowledge of the CND-SP teams.”

KEY FACTS:

ABOUT EC-COUNCIL:

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 60,000 individuals and certified more than 22,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS).

EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences. The global organization is headquartered in Albuquerque, New Mexico.

For more information about EC-Council, visit the website: www.eccouncil.org.


Washington Post – Hacker Training

The Pentagon has ordered all troops and officials involved in protecting computer networks from enemy hackers to undergo training in computer hacking themselves.

A Feb. 25 update to a directive on information security from the office of the assistant defense secretary for networks and information integration requires workers involved in what the Pentagon calls computer-network defense to be certified in understanding as many as 150 hacking techniques.

The new training requirement comes as the Pentagon is moving ahead with creation of a new Cyberwarfare Command at Fort Meade, Md.

The certification will be carried out by specialists at the private International Council of E-Commerce Consultants, known as the EC-Council, which conducts what it calls “ethical hacker” training.

The council’s president, Jay Bavisi, said the updated directive is the first time the Pentagon acknowledged publicly that it conducts hacker training.

Read more…


EC-Council trains Italy’s first batch of Computer Hacking Forensic Investigators in Rome

ROME, February 1, 2010 – Italy’s very first Computer Hacking Forensic Investigator (CHFI) training was successfully conducted by Elea Spa, one of EC-Council’s Accredited Training Centre in Rome. The class was made up by 12 members of the forensic team of a major Italian company, and upon completion, they have successfully joined the global community of EC-Council certified information security members that currently stands at over 25,000 across 60 countries.

The CHFI program lets participants acquire the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute. Many of the top tools, technologies and methodologies of the forensic trade are featured in the program, including software, hardware and specialized techniques.  The CHFI curriculum has recently been certified to meet the stringent CNSS 4012 standards, awarded by the US National Security Agency (NSA) and Committee on National Security Systems (CNSS).

“We would like to thank EC-Council for the excellent in-depth CHFI program and Elea Spa for providing a conducive training environment. A special mention of Mattia Epifani, Certified EC-Council Instructor, for his professionalism and expertise in teaching the program,” said Giuseppe Mazzaraco, Fraud Management Chief of Corporate Investigation & Fraud Prevenzion of the Italian Firm.

Sean Lim, Vice President of EC-Council commented, “The CHFI program being embraced by one of the largest and respected Italian firm is a testament of the quality of our programs. We will be working together closely with our Accredited Training Centers to provide and deliver more quality training to the security community in Italy.”